The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
We are expected to put into place comprehensive but proportionate governance measures. Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data.
The accountability principle in Article 5(2) requires us to demonstrate that we comply with the principles and states explicitly that this is our responsibility.
This means that we must:
- implement appropriate technical and organisational measures that ensure and demonstrate that we comply;
- maintain relevant documentation on processing activities;
- implement measures that meet the principles of privacy by design and default, such as:
- data minimisation;
- allowing individuals to monitor processing; and
- creating and improving security features on an ongoing basis.
- use data protection impact assessments where appropriate.
What is UCC doing to demonstrate accountability?
- We are creating central Registers of Personal Data which will document what personal data we hold, what we use it for, the legal basis we are relying on in order to process the data, who we may share it with, where it is held and how long we keep it.
- An exercise is underway in UCC to capture this information from every part of the University (see Registers of Personal Data).
- Nominated “Data Protection Champions” in each area are being asked to collate the required information so that the University can demonstrate its compliance with GDPR and identify areas where remedial action is required.
- Recording all data security breaches.